I'm dealing with a frustrating issue where certain Google users are hitting a roadblock during login, receiving an error that says, 'This account cannot be accessed because the login credentials could not be verified.' The authentication process flows from ADFS through Duo to Google, and it's failing after the Duo prompt. Interestingly, neither Google nor ADFS logs show any events—neither successes nor failures—which makes troubleshooting more complicated. This issue seems to affect specific Organizational Units (OUs), even though the Google sync is operating smoothly and I wish we were on M365 instead. Everything else appears normal: ADFS and AD are healthy, connectivity is good, and the security certificates are valid for a long while. Despite comparing the settings and credentials between working and non-working users, and even trying password changes, nothing seems to resolve the matter. I'm reaching out here hoping someone has encountered a similar situation or has suggestions that I might not have tried yet. Thanks in advance for any insights!
3 Answers
Ah, the ADFS-to-Google dilemma strikes again! This is like being trapped between two systems that really aren't playing nice. You've already checked the usual healthy elements, but the problem is probably lurking somewhere deeper.
Since it’s affecting specific OUs, I suspect there’s a policy issue. Google can be very misleading with its inheritance settings, so I wouldn’t be surprised if a parent OU has an old SSO setting that conflicts. Also, check your ADFS claims rules. If there's any attribute being passed from AD that Google no longer accepts, it will just fail without a proper error message. That’s how ADFS tends to operate—silently.
If I were you, I’d create a test user in one of the problematic OUs with a clean slate. See if they can log in. If they can, then it’s likely a legacy setting in the group. If not, the issue is probably with your OU policy. Don't keep banging your head against the wall; get to the root directly!
It sounds like you have a federated setup with AD linked to Google and Google linked to Duo, right? Just to clarify, are any of these users Super Admins? Because Super Admins can't use SSO with Google. If they aren't, the problem might lie in how your SSO is configured for those OUs. Check if there are any specific SSO profile rules affecting them. I’d recommend trying to reapply the SSO profile across all OUs or maybe set Duo as the default profile for your organization.
By the way, do any of these users have accents in their names?
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures